logo       
<prev   next>

CVS Security Issues: msg#00003

Subject: CVS Security Issues 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Two patches were recently brought to my attention.  One moves the
CVSROOT/passwd file(s) into /etc/cvs.passwd
<http://www.xs4all.nl/~carlo17/cvs/index.html> and the other adds a
/etc/cvs-repouids which overrides any system users listed for users in
the CVSROOT/passwd file
<ftp://ftp.gnu.org/savannah/patches/wichert-cvs-patch.text>.

The idea of both is to make it harder to overwrite the CVSROOT/passwd
file and gain root.  I've actually just commited a fix that will be
released soon with 1.11.11 & 1.12.5 which causes CVS to refuse to
continue running if the system user specified in CVSROOT/passwd maps to
root, but that doesn't stop anyone with write access to the
CVSROOT/passwd file from assuming any other UID they'd like.

Does anyone else have any opinions on this?  I'm a little torn on the
issue (aside from the fact that I don't have time to write the
documentation for the patches just now).  On the one hand, this could
move some of CVS's vulnerable files to a location where they are harder
to get at.  On the other hand,  CVS repositories have been mostly
self-contained for some time, and the documentation already makes it
clear that CVSROOT permissions should be controlled as tightly as
/etc's, so I'm not inclined to be swayed by the complaint that a simple
misstep in setting the group ownership of CVSROOT is all it takes to
open your system up to an already trusted user - the same could be said
for /etc.

Consolidation of vulnerable files might almost be a valid argument, but
I don't think I buy it.  Plenty of other sensitive files are scattered
around /var and elsewhere by various programs and I hear few
complaints.  Is there a standards document I should be reading?

Derek

- --
                *8^)

Email: derek@xxxxxxxxxxx

Get CVS support at <http://ximbiot.com>!
- --
I've never made a mistake in my life.  I thought I had once, but it
turned out that I hadn't.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org

iD8DBQE/4f9hLD1OTBfyMaQRAhZTAJ4r7BdylGSUU66lyiftjTxIClRbXwCgqep7
FBWdVp8sUgZ2+432auNHFfE=
=f6Sq
-----END PGP SIGNATURE-----
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: translation pt_BR, Derek Robert Price
Next by Date:  Re: CVS Security Issues, Derek Robert Price
Previous by Thread:  Re: translation pt_BR, Derek Robert Price
Next by Thread:  Re: CVS Security Issues, Mike Sutton
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
Recently Viewed:
web.pylons.gene...    hurd.l4/2002-10...    kernel.commits....    user-groups.lin...    yellowdog.gener...    java.drools.use...    security.openva...    package-managem...    linux.debian.us...    qnx.openqnx.dev...    genealogy.gramp...    file-systems.if...    voip.wengophone...    tex.context/200...    ietf.smime/2003...    audio.csound.de...    culture.region....    xfree86.devel/2...    mobile.kannel.u...    distributed.con...    education.engli...    org.user-groups...    bug-tracking.gn...    recreation.bicy...   
Home | blog view | USPTO Patent Archive | advertise | OSDir is an inevitable website. super tiny logo

Free Magazines

Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe